PHP :: Bug #48379 :: Bogus value in variables leaked from POST or SESSION

Bug #48379	Bogus value in variables leaked from POST or SESSION
Submitted:	2009-05-25 03:37 UTC	Modified:	2009-05-25 12:43 UTC
From:	anchoa at cardumen dot info	Assigned:
Status:	Not a bug	Package:	Variables related
PHP Version:	5.2.9	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	anchoa at cardumen dot info
New email:
PHP Version:		OS:

New Comment:

[2009-05-25 03:37 UTC] anchoa at cardumen dot info

Description:
------------
Variables that have the same name as an associative POST or SESSION 
variable are assigned their values, For example, if $_SESSION['v1'] == 
"abcd", $v1 is assigned "abcd" instead of being left undefined. 

Reproduce code:
---------------
See:

http://testing.cardumen.com/session-bug.php


Expected result:
----------------
The right behavior is for the four variables  v1, v2, v3, and v4 to 
remain undefined.

Actual result:
--------------
Enter some data in text fields v1, v2, v3, and v4

Variables $v1, $v2, $v3, and $v4 will be assigned the values leaked from 
$_SESSION['v1'], $_SESSION['v2'], $_SESSION['v3'], and $_SESSION['v4'], 

If you comment out session_start(); and or $_SESSION = $_POST; the 
values will be leaked from $_POST.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-25 08:05 UTC] jani@php.net

And register_globals is off..?

[2009-05-25 12:13 UTC] anchoa at cardumen dot info

When the leak happens, register_globals is on

When I turn register_globals off, the leak does not happen.

register_globals is now "on" at the test site

[2009-05-25 12:25 UTC] anchoa at cardumen dot info

The variable that is giving me troubles (in my real code, not the test 
code) was initialized to empty ($var = '') before calling 
session_start() and, supposedly an already initialized variable should 
not be injected with a new value.

[2009-05-25 12:43 UTC] jani@php.net

That "leak" is expected when you have register_globals=On. And that's one reason register_globals will be gone in PHP 6.. :)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jun 01 02:01:27 2025 UTC